1
Proactive and Preventative Vendor Security Management
Session 188, February 13, 2019, 4:00 PM
Mitchell Parker, Executive Director, Information Security, Indiana University Health
2
Mitchell Parker, MBA, CISSP
Has no real or apparent conflicts of interest to report.
Conflict of Interest
3
Statement of Issue
Background on Security
Mergers and Acquisitions
Background on Devices and Systems
Business Drivers
What has happened?
Where do we start?
The five key areas of technology management
Conclusion
Agenda
4
Recognize the requirements for implementing an effective vendor
management program for technology
Apply knowledge learned from this presentation to proactively
improve vendor relations
Analyze existing vendor agreements and outsourcing contracts
and be able to modify them to support information security
initiatives
Develop effective requirements and goals for Clinical Engineering
to accomplish either via statements of work or program
management to support security requirements
Define and measure the effectiveness of an enterprise-wide
preventive security program and demonstrate metrics to senior
management
Learning Objectives
5
We have too much vendor technologies and not enough guidance
on how to effectively manage security for them
In the past decade, as we’ve increased the usage of Electronic
Medical Records, and have automated manual processes, we’ve
connected a significant number of new technologies to the
network
There has not been a corresponding increase in expertise with
cybersecurity on many fronts
Statement of Issue
6
Medical Providers are not all large academic healthcare
institutions
According to the American Medical Association, in 2014,
60.7% of the medical providers out there are small practices
with 10 or fewer physicians.
Source: https://www.ama-assn.org/press-center/press-
releases/ama-study-finds-majority-physicians-still-work-
small-practices
According to the American Hospital Association in 2016, the
average operating margin was 6.7%, with 30.6% of hospitals
having negative operating margins
Source: https://www.aha.org/system/files/2018-05/2018-
chartbook-table-4-1.pdf
Background on Security
7
Medical Providers are not all large academic healthcare
institutions
According to the Nebraska Hospital Association in a
personal interview, 75% of the hospitals in their state are
rural and in small towns
These hospitals don’t have IT departments. They have
outside consultants or someone doing IT as a side job
Rural and Critical Access Hospitals, as a rule, have
people that have multiple skills or jobs
Background on Security
8
Many of these providers and hospitals do not have the staff to
maintain security
They are lucky if they have staff to maintain the EMR
We are at an inflection point with new technologies where the
security world is going to get turned upside down on providers
again
New WiFi standards (WiFi 6, 802.11ay)
5G/Reliance on Cellular Service
Sunsetting of legacy technologies such as Pagers
Shift to Consumerism
Background on Security
9
There has been significant acquisition activity with health services
companies actively making deals changing the system landscape
Pennsylvania alone has had UPMC, Jefferson, Penn
Medicine, and Tower Health reshape the landscape since
2014
New Jersey has had Hackensack Meridian and Barnabas
Health do the same
Advocate/Aurora in the Midwest has also had impact
CHS has had both significant acquisitions and divestures
nationally
According to PwC’s US Health Services Deals Insights Q3
2018, there were 261 transactions in Q3 2018, and over 200
in each quarter since Q4 2014
Source: https://www.pwc.com/us/en/health-industries/publications/pdf/pwc-us-health-
services-deals-insights-q3-2018.pdf
Mergers and Acquisitions
10
1. How does this all relate to them?
We have had to get very smart about cybersecurity as part of the
“M&A Playbook” very quickly for both
Medical devices, which at one time were considered a capital
expense like a bed or supplies, are computer systems in
themselves
Scratch that part about the bed…the new ones are full-
fledged systems in themselves!
Not having a plan as you acquire/divest will lead to risks
later
Background on Devices and Systems
11
Smart Bed Example:
Background on Devices and Systems
12
2. More about devices…
They are pervasive
They are now part of the care process
They originally were never meant to be networked in a TCP/IP
network
Serial devices, yes, where a continual data stream could be
sent uninterrupted
Ethernet and TCP/IP are very different than Serial
Wireless is even more difficult to account for (no lines)
5G/Cell-based technologies have to take more into account
PACS/DICOM is an exception to this
This change is still a major challenge that vendors are working on
as it greatly increases complexity!
Background on Devices and Systems
13
3. Appliances
These were mainly designed as appliances that require basic
upkeep
We’ve managed them the way we always have, which is by either:
A small Clinical Engineering Team
Outsourced Third-Party Contractors
Consultants
The Vendors themselves
Background on Devices and Systems
14
4. Networking
We’ve put them on the same networks as other devices
This is not out of ignorance people willing to accept risk
Not everyone understands networking or security well
Not everyone has resources to have a full security program
This exposes devices that were never meant to be put on
large networks with lots of traffic to exactly that
Manufacturers are still grappling with the change from
serial to TCP/IP
Upcoming FDA guidance speaks of encryption and key
management
We are increasing complexity significantly!
Background on Devices and Systems
15
5. Smaller Offices = Consumer/Small Office Devices
Connectivity to a lot of smaller offices is done using consumer
equipment
Think Linksys, Belkin, Netgear, or what the local store
carries
Consumer equipment doesn’t have the long support
lifecycles of gear from Palo Alto, Cisco, or Fortinet
It also is a lot easier to set up for non-IT professionals
When you have limited resources, you’re not going to put
something in that has a high chance of breaking and can’t
quickly fix or replace. You’re going to go to Wal-Mart or
someplace within a 30 minute drive
When you need something quickly and have patients
waiting, you are not going to wait
Background on Devices and Systems
16
6. Vendor Support
This is also done for vendor support purposes. It’s easier for a
tech to remote into a PC and then connect to a device or system
either over USB or the network if it’s on the same segment than to
put in a persistent VPN connection
VPN connections open up additional risk
We can’t expect medical offices that run on consumer grade
equipment to even know what IPSec is
It’s hard for software developers to grasp the nuances of
networking and PKI
Numerous breaches caused by insecure security
implementations prove that
Heartbleed and variants
Background on Devices and Systems
17
7. Aftermarket Devices
We have a very large aftermarket of used devices across the
world
Smaller facilities and those in non-First World countries buy
these devices used
They are not always cleaned off or secured
They likely aren’t getting updates
Many of these devices are older and won’t get updates
Background on Devices and Systems
18
7. Aftermarket Devices
Maastricht University donated an MRI to the Cuban
Neurosciences Center:
Background on Devices and Systems
19
7. Aftermarket Devices
We also need to account for these in M&A and Divestures
Do they meet the new corporate standard?
Have they been assessed for risk?
Most important if the facility has had financial difficulties,
did they cut support?
Background on Devices and Systems
20
We have business drivers driving the Internet of Medical Things
(IoMT)
Shift from Inpatient to Outpatient
Need for Monitoring of chronic patients (COPD, diabetes)
and compliance
Patient Satisfaction/Clinician Communication
Population Health
Smartphones and Health Apps
Fitbits and Consumer Devices
Business Drivers
21
What does the business see?
22
We’re seeing a lot of “one weird trick” marketing from companies
offering to sell us equipment to do all the work for us.
One weird trick…
23
A number of high-profile incidents have occurred that have
demonstrated that medical devices are not secure, and are not
meant to be secure.
WannaCry
Pfizer/Hospira Pumps security issue
Ransomware attacks on Windows-based systems
There is now draft legislation and guidance from the FDA to
address these issues that focuses on the development process
and vulnerability management
There are companies and people attempting to resolve these
issues using new technologies
Blockchain-based tech to verify and validate security and
safety of devices across owners by device (Spiritus
Partners)
What has happened?
24
There is technology, but there are also business issues to address
The technology issue is obfuscating the management of devices,
and how we can practically plan and manage to have them in the
environment
Make it so that we have a playbook that non-technical staff
can follow and understand and why
Bridge that last mile with everyone
What has happened?
25
It starts with a plan
Even if you don’t have a security team, develop a plan to
manage your vendor technology in five areas:
Contracts and Language the rules of engagement
Preparation
Acquisition
Maintenance
Disposition
Where do we start?
26
1. Contracts and Language
You need to have six core sets of terms in your contracts to
address potential security issues:
Minimum Security Standards for encryption and supported
components
Identify how you will be notified of vulnerabilities
SLA for notification time/workarounds
SLA for patch availability
BAA that covers security logging and auditing
Who reviews the logs?
Identify responsible parties in the contract in writing!
The five key areas of technology
management
27
2. Preparation
Identify Vendors
Establish relationships (external)
Include other organizations that run this product.
Get to know your vendors well and have a relationship.
Even if you buy from a GPO, get to know the team
Establish relationships (internal)
Clinical Engineering esp outsourced managers
Consultants
Legal/Contract Management
Supply Chain (esp. if outsourced!)
The five key areas of technology
management
28
2. Preparation
Plan to Manage
Plan for Emergencies/Issues/Downtime/Recovery
Build standard work that includes service levels
Nothing gets done for a CE contractor without a work
order (one contract had 6 places that specified this!)
Make sure you have a good relationship with the people
in charge of CE so you can get work orders issued.
Plan for good network security to buy time.
It takes a long time to patch CE equipment due to
resource issues.
Segmenting these devices helps spread the work
and make it predictable.
The five key areas of technology
management
29
2. Preparation
Identify how you will notified of vulnerabilities and changes
If you are buying used, make sure you can get the
patches in the first place and have a reliable resource
(read: Not the Pirate Bay) to get them
ECRI, FDA, vendor themselves, etc.
Identify testing/downtime processes
Identify vendor contacts
Identify resources
Identify network requirements and how to meet them
Build out how to manage segments and devices.
Build out how to monitor networks for anomalies
The five key areas of technology
management
30
2. Preparation
If you’re small, consider a managed service to monitor
security so you can collect device logs and be alerted to
issues.
I do not expect most offices to have a SIEM but they
have devices. A managed service helps turn those
alerts into plans
We made recommendations to draft FDA guidance for
log files for this reason
We look at the SIEM as being critically important as no
human being is going to look at log files.
Let AI, ML, and other tech do this for you
Get templated statements of work for product security
updates and product maintenance
The five key areas of technology
management
31
3. Acquisition
If you’re acquiring used devices, make sure that you still have a
plan to manage as if they were new
You may have to pay a little extra to reestablish
maintenance contracts
If you’re going through M&A you need to have this in the
playbook!
Follow through on your processes from Preparation
The five key areas of technology
management
32
4. Maintenance
Develop and execute Standard work for devices as you
need to be able to measure staffing levels and manage
these devices
Log and register maintenance/sec updates on these devices
Wireless Security is going to be key as standards evolve
Log and register maintenance on your networks just like CE
devices
We expect that Joint Commission, based on statements
that the loss of a wireless network is a patient safety
issue, to ask similar questions
Make sure you have a documented change management
program and follow through with it
Log device changes to a central registry
The five key areas of technology
management
33
4. Maintenance
For large-scale upgrades, use Failure Mode and Effects Analysis
to map out potential process failures.
Make sure you involve all parties and communicate well with them
when you perform maintenance.
Yearly risk assessments and risk management plans to discover
and address security issues.
If you bring in tools, make sure they address a real and identified
risk!
The five key areas of technology
management
34
5. Disposition
Erase devices
Build erasure/refit costs into sale price
Consider registering devices in a centralized registry so buyer has
history
The five key areas of technology
management
35
There is a lot more to the backstory of medical devices than just
insecure development
It takes a lot to change multiple decades of development and
evolution from serial ports and dedicated lines to 5G
Even then, we have to manage these devices differently than we
have before
It’s not impossible if you have a plan
A 5 step plan (Contracts, Preparation, Acquisition, Maintenance,
Disposition) can help you immensely
What have we learned?
36
Please complete your online session evaluation!
Contact Info:
Mitchell Parker
Executive Director, Information Security and
Compliance
Indiana University Health
Email: Mitchell.parker@iuhealth.org
Twitter: @mitchparkerciso
LinkedIn: https://www.linkedin.com/in/mitch-p-
95a9a04/
Cell: 215 519 1053
Questions?